Yesterday, someone explicitly threatened to launch a negative SEO attack against our website. Unless we pay a sum of money in the next 24 hours, our backlink profile will be flooded with toxic links.
(Honestly, it all sounds like the plot of a terrible James Bond movie. But I digress.)
We have no intention of paying these people so I fully expect our site to be bombarded with unnatural links in the very near future.
And when that happens, I will use this post to document absolutely everything (e.g., a description of the attack, an analysis of its impact, recovery steps, etc.).
Since negative SEO continues to be one of the most hotly debated topics in our community (look here and here), I’m hoping this case study in-progress can contribute to that debate, while also serving as a comprehensive guide for diagnosing and recovering from a negative SEO attack.
With that in mind, let’s start from the beginning…
August 11, 2014
2:19pm CT — “Rannvijay Singh” (email@example.com) sends us a very cryptic email through our site’s contact form:
I found your website by searching Google with “seo tips” – I am interested to buy – can you please guide me ?
There’s nothing particularly exciting about this email. It looks like just another spam message from just another spammer. A normal, sane person would delete it and never look back.
But I’m not a normal, sane person. I’m a masochist that spent years of my life fighting spam (no, seriously: that’s how I got those goofy letters after my name), and I genuinely enjoy “corresponding” with spammers.
(Unfortunately, I was really busy on the 11th so I completely forgot to respond to Rannvijay until…)
August 12, 2014
11:10pm CT — I send the following generic response (primarily because it’s always fun to see what a spammer’s second email will look like):
Thanks for contacting us. Can you elaborate on what you’re interested in buying?
Nothing sexy here. Just a short and sweet message to let him know I value his spamming. Now, we wait…
August 13, 2014
2:29pm CT — Well, that didn’t take long. Rannvijay decides to take our relationship to the next level by sending me an absolute novel:
Read this email very carefully.
This is an extortion email.
We will do NEGATIVE SEO to your website by giving it 20,000 XRumer forum profile backlinks (permanent & mostly dofollow) pointing directly to your website and hence your website will get penalised & knocked off the Google’s Search Engine Result Pages (SERP) forever, if you do not pay us $1,500.00 (payable by Western Union).
This is no false claim or a hoax, download the following Notepad file containing 20,000 XRumer forum profile backlinks pointing to http://www.negativeseo.cn.pn/ (this is our website and go and see on this website, you will find our email address firstname.lastname@example.org from which this email right now is being sent to you) :
Just reply to this email to let us know if you will pay just $1,500.00 or not for us to refrain or not from ruining your precious website & business permanently. Also if you ignore this email and do not reply to this email within the next 24-48 hours, then we will go ahead and build 20,000 XRumer forum profile backlinks pointing directly to your website.
We are awaiting your wise decision.
There is a lot to love about this “extortion email” so allow me to break it down line-by-line…
If you’re going to try to extort money from me, at least have the common courtesy to use my name. Come on Rannvijay, you’re better than that.
- Read this email very carefully.
I’m parsing it line-by-line in a blog post so I hope that’s careful enough for you.
- This is an extortion email.
This part of the email actually made me laugh out loud. “I’m totally trying to steal money from you right now.” I take it all back, Rannvijay: you’re the best.
- We will do NEGATIVE SEO to your website by giving it 20,000 XRumer forum profile backlinks…
I’ll be honest with you. I didn’t realize people were still using XRumer. Did I just wake up in 2012?
- … your website will get penalised & knocked off the Google’s Search Engine Result Pages (SERP) forever…
Forever? Like forever ever?! Now, you’re just being hurtful.
- … if you do not pay us $1,500.00 (payable by Western Union).
This is my favorite part of the email. Assuming I was dumb enough to pay the money, how would I even do so? Does Western Union know Rannvijay on a first name basis? Am I supposed to guess where to send the money? I feel like this extortion is being run by a bunch of 8 year olds.
- This is no false claim or a hoax…
I sure as hell hope not. I’ve already spent a lot of time reading this nonsense. And this blog post is going to look really silly if you don’t follow through with your threats.
- … download the following Notepad file containing 20,000 XRumer forum profile backlinks pointing to http://www.negativeseo.cn.pn/ (this is our website and go and see on this website, you will find our email address email@example.com from which this email right now is being sent to you) :
This is incredibly confusing. Why should I care about 20,000 backlinks that Rannvijay pointed at his own site? A monkey can generate XRumer links. Literally. A monkey.
I really hope he’s planning to use that site (or any of those links) to launch the attack. That will make my job suuuuuuuuper easy.
(P.S. It’s adorable that he referred to a text file as a “Notepad file” — kids say the darndest things.)
Anyway, since Rannvijay is very proud of his site and his spammy links, let’s take a look at them…
First, here’s a screenshot of the site:
As you can see, it’s not much to look at. However, in addition to providing valuable “facts” about negative SEO, the site offers critical information about human growth hormones and the best company for tiling Marlborough, Massachusetts. Ladies and gentlemen, this is content marketing at its finest!
The best part of the site is the following line:
If you have any questions about negative SEO, then please feel free to email me to <firstname.lastname@example.org>
I don’t know about you, but I have all kinds of burning questions about negative SEO. And now I have someone to answer them! Thanks Rannvijay!!!
(P.S. If anyone has negative SEO questions, leave them in the comments below. I’ll be happy to forward them on to Rannvijay. Also, feel free to email him yourself — I’m sure he’s willing to answer everyone’s questions.)
Next, here’s a screenshot of one of the XRumer links (if you want the full list of links, you can download it here):
This is all pretty standard stuff. If you’ve ever performed a link audit for a penalized site, you’ve already seen much more exotic examples than this.
Anyway, let’s get back to the email…
- Just reply to this email to let us know if you will pay just $1,500.00 or not for us to refrain or not from ruining your precious website & business permanently.
Pay just $1,500.00? You mean I have the option of paying more?! Well, sign me up! And do you think you could say, “or not” a few more times. This sentence was way too easy to read… or not.
- Also if you ignore this email and do not reply to this email within the next 24-48 hours, then we will go ahead and build 20,000 XRumer forum profile backlinks pointing directly to your website.
That’s not very nice. What if I didn’t receive this email until after 48 hours? Rannvijay, I’m beginning to think you’re a real asshole.
- We are awaiting your wise decision.
That makes two of us. The “wise decision” would have been to stop reading this email after “Hello,” but we’re way past that now!
You’re too good to sign your full name?! That is officially the straw that broke this camel’s back. Game on, Rannvijay. GAME ON!!!
10:33pm CT — We receive the exact same email from a different email address (email@example.com). Call me crazy, but if I was trying to extort money from someone, I’d at least try to establish a consistent form of communication with that person.
Also, I’m curious if this second email means we received an extension on our payment deadline. Does the 24-48 hour time window start from the first email… or the second one? If we keep receiving emails, does that mean the timer will keep resetting?
These are the questions you’re forced to ask yourself when you’re dealing with 8 year olds.
August 14, 2014
1:55am CT — This post goes live.
At the moment, I’m just waiting for the attack to begin. I still haven’t responded to Rannvijay’s extortion emails (aside from my public line-by-line response above) because I want to see if the correspondence changes after 24-48 hours have passed.
Specifically, I’m wondering if Rannvijay will let me know when he’s launching the attack. Will he try to give me a last second discount?! Will he ever stop replacing “and” with &?!?!
10:27am CT — Rannvijay sends us a very brief follow-up email from the second address (firstname.lastname@example.org):
What did you decide ?
Well, I decided a few things, actually. First, I decided not to pay money to an imaginary Western Union account. Then, I decided to document this entire saga in a blog post. But most importantly, I decided that we can’t be friends. I’m sorry, Rannvijay.
And it’s not me… it’s most definitely you.
2:50pm CT — Multiple people have now received the same payment instructions (we received them, James posted them in the comments below, and Chris Dyson received them by trolling Rannvijay — more on that in a moment):
Pay $750 and $750 to the following 2 persons by WesternUnion and after you send the money by WesternUnion, then email me the 2 MTCN numbers, the exact amount to be received in Indian Rupees (currency) & the money sender’s full name and address and phone number.
Recipient 1 ($750.00) :
Full name : Samarendranath Das
Address : Acharya Prafullanagar, Pashchim Para, Rajpur, Sonarpur, Sonarpur
City : South 24 Parganas
PIN Code : 700150
State : West Bengal
Country : India
Mobile : +919831480728
Recipient 2 ($750.00) :
Full Name : Sanjay Das
Address : Acharya Prafullanagar, Pashchim Para, Sonarpur,
City : South 24 Parganas,
PIN Code : 700150
State : West Bengal
Country : India
Mobile : +919836255433
After you send the $750.00 + $75 0.00 by WesternUnion, then email me the 2 MTCN numbers, the exact amounts to be received in Indian Rupees (currency) & the money sender’s full name and address and phone number.
Confirm that you have received this email and confirm that you will pay and when you will pay ?
Since all 3 of us received the exact same instructions, I think it’s safe to say this information is correct. Now, we just need to think of creative ways to use that information.
In the meantime, let’s take a moment to praise our good friend, Chris Dyson. As I mentioned above, he’s been trolling Rannvijay all day, and here’s one of the emails Chris received:
I have sent emails to 60+ webmasters about this negative SEO and some of them has responded positively and some of them have responded negatively. You are the only one who has responded anonymously. Those webmasters, who are responding negatively or not responding at all, will have their websites done with the negative SEO, including you, if you do not pay up.
Let me know what you think.
This email is AMAZING for so many reasons. First, if Rannvijay is telling the truth, people have actually responded positively to his threats. I’m really hoping those people only “responded positively” to get contact information and payment instructions (like James, Chris, and I did) — and not to actually pay this idiot.
Second, I think it’s incredibly funny that Rannvijay is threatening an anonymous email account (Chris was trolling him with a generic Gmail address). “I don’t know who you are, but I’m still going to negative SEO the hell out of your site!” Kids will be kids.
August 17, 2014
9:24am CT — Nothing particularly exciting happened over the weekend. We haven’t received any new emails, and we still haven’t observed any changes to our backlink profile.
Here’s a screenshot of the profile:
As you can see, the profile has the same name (Sanjay Das) and almost the same address (North 24 Parganas instead of South 24 Parganas) as Recipient 2 in the payment instructions (see above). This might just be a huge coincidence, but it’s still interesting.
Second, Akshay provided various resources for reporting incidents of cyber crime in India. Most notably, here is the contact information for West Bengal (the state listed for both recipients in the payment instructions):
CID, Cyber Crime
Ph: +9133 24506163
If you also received these extortion emails from Rannvijay, feel free to use this contact information to report the extortion attempt to the local authorities.
Finally, Richard Baxter suggested I dig through our logs to identify Rannvijay’s IP address and user agent. I have to admit I’m embarrassed I didn’t do this from the very beginning (thank you for helping me pull my head out of my own ass). Anyway, the IP address is 126.96.36.199, and here’s the user agent:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Now, let’s take that information and run with it…
Based on the user agent, Rannvijay is using a relatively updated version of Chrome on Windows 7. This result is not particularly helpful because a large percentage of our site’s visitors use that browser/operating system combination.
However, the IP address is much more interesting. Here are just a few network-related details:
ISP: Alliance Broadband Services Pvt. Ltd.
Address: Kolkata, West Bengal (28), India
Contact: Sk Akramul Alam
P-89 C.I.T Road
2nd Floor, Kolkata – 700014, India
This is even more evidence that the payment information (see above) actually contains legitimate addresses (if nothing else, it verifies that West Bengal is the appropriate Indian jurisdiction for reporting this incident as a cyber crime).
Anyway, this exciting saga continues…
What Do You Think?
As I mentioned at the beginning of the post, I fully intend to document everything that happens from here on out. If you have any comments or questions about anything, please let me know in the comments below.